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Script started on Sat Aug 9 15:42:00 2003 

[rootSlocalhost interrogator]* ./interrogator 

Where would you like the results stored? I /tmp/ interrogator/ J 

Check for hidden processes? IYJ 

Check for hidden TCP port listeners? [Y] 

Check for system call patching? [YJ 

Check for hidden kernel modules? IY] . 
Check for hidden files? {may take > 15 minutes) (NJ Y / 
Running the interrogator- this may take a minute £/ 
Results are located at /tmp/ interrogator/ summary 
View results now? CY] 

( SUMMARY ] 

NO hidden modules were found. 

NO system call table modifications were found. 

NO hidden processes were found. 

WARNING: Pile size is 60133 (should be 58885): /var/log/sa/sa09 
WARNING: File size is 1010871 (should be 1010003) : /var/log/cron 
WARNING: File size is 597700 (should be. 597264): /var/log/maillog 
NO hidden files were found. — 
NO hidden TCP port listeners were found. 
{ rootQ localhost interrogator) # exit 
Script done on Sat Aug 9 16:01:52 2003 
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( roots localhost interrogator]* ./interrogator 

Where would you like the results stored? ( /tmp/ interrogator/ ] 

Check for hidden processes? [Y] 

Check for hidden TCP port listeners? [Y] 

Check for system call patching? (Y) 

Check for hidden kernel modules? [Y] j 
Check for hidden files? (may take > 15 minutes) [N] Y L 
Running the interrogator- this may take a minute 
Results are located at /tmp/ interrogator/ summary 
View results now? CY] 

[ SUMMARY ] 

NO Tt-«'V'»ti modules were found. 

SO system call table modifications were found. 

WARNING: process id 13745 hidden or just exited (tb) 
Launch Path: /root/ code/ interrogator/de«rojansans/tb 
FOUND 1 Hidden process listing 

HIDDEN File found: /tmp/hideme 

WARNING: File size is 62629 (should be 61381) :. /var/log/sa/sa09 
WARNING: File size is 1013693 (should be 1012816): /var/log/cron 
WARNING: File size is 599450 (should, be 599012) : /var/log/maillog 

HIDDEN TCP Port Listener found: port 2222 

{ roots localhost interrogator]* exit 
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[rooteiocalhost interrogator]* ./interrogator 

Where would you like the results stored? [/ tmp/ interrogator/ ] 

Check f t or hidden processes? [YJ 

Check for hidden TCP port listeners? [Y] 

Check for system call patching? [Y] 

Check Cor hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) (N) Y 

Running the interrogator... this may take. a minute 

Results are located at /tmp/ interrogator /summary 

View results now? [Y] 



( SUMMARY J 

, WARNING suspect module found: f8a0f000 8000 bytes (adore) 
Image stored at / tmp/ in terroga tor/ adore. o 
FOUND X HI D DEN module loaded 

WARNING: Deviations found in the sys_call_ table 
syscall (2] 
5ys call [4] 
syscall [5] 
syscall (6] 
syscall[18] 
syscall (37) 
syscall(39) 
syscall (84] 
syscall [106} 
syscall [107) 
syscall(120] 
syscall (141] 
syscall [195) 
syscall [196] 
syscall [220] 



FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 
FAILED 



0xf8a0f650 
0xf8a0f7e8 
0xf8al0184 
0xf8a0f898 
Oxf 8a0fbe4 
0xf8a0f710 
0xf8a0f9a0 
0xf8a0fcd0 
0xf8a0fdbc 
0xf8a0fe94 
Oxf 8a0f 6b0 
0xf8a0f368 
0xf8a0ff80 
0xf8al0080 
0xf8a0f4dc 



fork 
write 
open 
close 
olds tat 
kill 
mkdir 
oldlstat 
stat 
Is tat 
clone 
getdents 
stat64 
lstat64 
getdents64 



Suspect module located (0xf89da6d8 - 0xf8al2000) 
FOUND 15 Modified syscall table functions 

WARNING : Found process id 836 removed from the task_queue. 
Launch Path: /root /code/ interrogator/demo/ trojans/ test 
WARNING: process id 13745 hidden or just exited (tb) 
Launch- Path: / root/ code/ interrogator/demo/ trojans /tb 
FOUND 2 Hidden process listings 



HIDDEN File found: /tmp /hi dame 

WARNING: File size is 2336990 (should be 2335392) : /var/ log /messages 



HIDDEN TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 



Listener found: 
Listener found: 
Listener found: 
Listener found: 
Listener found: 
Listener - found: 



port 111 
port 139 
port 2222 
port 6000 
port 32768 
port 32769 



(rootQlocalhost interrogator)* exit 
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[rooteiocalhost interrogator)* ./interrogator 
Where would you like the results stored? [/tmp/ interrogator/] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? [Y] 
Check for system call patching? [Y] 
Check for hidden kernel modules? [Y] 
Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogator. . . this may take a minute 
Results are located at /tmp/ interrogator/ summary 
View results now? [Y] 

[ SUMMARY ] 

WARNING suspect module found: f8al0000 184700 bytes (homegrown) 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found in the sys_call_table / 

syscall [3] FAILED 0xf8all494 read ■ 

syscall [5] FAILED 0xf8all020 open 

syscall [11] FAILED 0xf8al0ebc execve 

syscall [13] FAILED 0xf8all8a0 time 

syscall (78] FAILED 0xf8all83c gettimeofday 

syscall C141J FAILED 0xf8all544 getdents 

syscall (220] FAILED 0xf8all6c0 getdents64 

Suspect module located (0xf89db6d8 - Oxf8a3fOO0) 

FOUND 7 Modified syscall table functions 

WARNING: process id 1584 hidden or just exited (tb) 
Launch Path: /root /code /interrogator /demo/ trojans/ tb 
FOUND 1 Hidden process listing 

HTPPFrW File found: /top/hidezne 

WARNING: File size is 1021523 (should be 1020648): /var/log/cron 
WARNING: File size is 603820 (should be 603384): /var/ log/mail log 

HIDDEN TCP Port Listener found: port. 2222 
[rooteiocalhost interrogator]* exit 
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total 13696 

drwxr-xr-x 
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2 root 
11 root 
root 
root 
root 
root 
root 
root 
root 
root 
root 
root 



-rwxrrxr-x. 
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root 
root 
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fd: 0 READ-WRITE /socket :/ [1103 ] 

fd: 1 WRITE-ONLY /var/log/messages 

fd: 2 WRITE -ONLY /var/ log /secure // 

fd: 3 WRITE-ONLY /var/ log/mail log L - 

fd: 4 WRITE-ONLY /var/log/cron 

fd: 5 WRITE -ONLY. /var/ log/ spooler 

fd: 6 WRITE-ONLY /var /log/boot. log 
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SSH_AGENT_PID=4606 

HOSTNAME=sring-l . internal .vlan. iwc . sytexinc . com 

PVM_RSH=/usr/bin/rsh 

SHELL=/bin/bash 

TERM=xterm 2 

HISTSIZE=1000 fii I xj 

GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc-1.2-gnome2 00 

WINDOWID=27270368QTDIR=/usr/lib/qt-3.1 ,/ 

USER=root L- 

LS_COLORS= 

P VM_ROOT = / u s r / sha r e / p vm3 

SSH_AUTH_SOCK=/tinp/ssh-XX3Bs0yB/agent.4542 

SESSION_MANAGER=local/sring.-l . internal .vlan . iwc . sytexinc .coin: /tmp/ . ICE^- 

unix/4542 

USERNAME=root 

MAIL=/var/spool/mail/root 

PATH=/usr/kerberos/sbin: /usr/kerberos/bin: /usr/ local /sbin: /usr/ local/bin: /sbin 
: /bin: /usr/ sbin: /usr/bin: /usr /XllR6/bin:7 root/bin: /usr/ local/netscape 
INPUTRC =/ e tc / input rc 
PWD=/root 

XMODIFIERS=@im=none 
LANG=en_US.UTF-8 

LAMHELPFILE=/etc/lam/lam-helpfile 
GDMSESSION=De fault 

SSH_ASKPASS= /usr / 1 ibexec / openssh/gnome - ssh-askpass 

HOME=/root 

SHLVL=2X 

PVM_ROOT= / usr / share / pvm3 /xpvm 
GNOME_DESKTOP_SESSION_ID=De fault 
BASH_ENV=/root/ .bashrc 
LOGNAME=root 

LESSOPEN=| /usr/bin/ lesspipe.sh %s 
DISPLAY=:0.0G_ 
BROKEN_F I LENAME S = 1 
COLORTERM=gnome-terminal 

XAUTHORITY=/ropt/ .Xauthority_=/usr/bin/ssh 
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rootfs / rootfs rw 0 0 

/dev/root / ext3 ro 0 0 

/proc /proc proc rw 0 0 

usbdevfs /proc/ bus /usb usbdevf s rw 0 0 

/dev/sdal /boot ext3 rw 0 0 

none /dev/pts devpts rw 0 0 

none /dev/shm tmpfs rw 0 0 

none Amht/hgfs vmware-hgfs rw, nosuid, nodev 0 
/dev/sdbl /mnt vfat rw 0 0 



FIG. 30(d) 



Name: 
State: 
Tgid: 
Pid: 
PPid: 
Tracer Pid: 



vmwar e - gue s td 
R (running) 
327 
327 
1 



Uid: 

Gid: 

FDSize: 

Groups : 

VmSize : 

VmLck: 

VmRSS: 

VmData: 

VmStk: 

VmExe: 

VmLib:. 

SigPnd: 

SxgBlk: 

Siglgn: 

SigCgt: 

Caplnh: 

CapPrm: 



0 
0 
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1424 kB 
0 kB 
444 kB 
48 kB 
8 kB 
84 kB 
1252 kB 

oooooooooooooooo 

0000000000000000 
8000000000000000 
0000000000004a07 
0000000000000000 
OOOOOOOOfffffeff 



J 



3- 



11 



CapEf f :, OOOOOOOOfffffeff 
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Script started on Sun Jan 11 10:18:52 2004 

(root@localhost recovery]* ./recover l(n@ 
Terminate hidden processes? (Y] ^ 
Recover system call table? (Y] / 
Remove hidden files [N] Y ^ 
Results are located at /tmp/ interrogator/ summary 
View results now? [Y] 



[ SUMMARY ) 

NO system call table modifications were found. 
NO hidden processes were found. 
(root@localhost recovery]* exit 
Script done on Sun Jan 11 10:19:03 2004 
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Script started on Sun Jan. 11 10 : 31 : 02 2004 
[root@localhost adore]* . /startadore 

Warning: loading cleaner , o will, taint the kernel: no license 

See http:/ /www. tux. org/ lkml/*export- tainted for information about tainted. modules 
Module cleaner loaded, with warnings 

[root@localhost adore]* /tmp/test 
(root@localhost adore]* ps -ef |grep test 

root 1302 1276 0 10:35 pts/3 00:00:00 /tmp/test 

root 1304 1043 0 10:35 pts/1 00:00:00 grep test 

[root@localhost adore]* ./ava i 1302 
Checking for adore 0 . 12 or higher . . . 

Adore 0.42 installed. Good luck. . . 

Made PID 1302 invisible. Q) 

[root@localhost adore]* ./ava h /tmp/test J 
Checking for, adore 0.12, or higher ... £^ 
Adore 0.42 installed. Good luck. " , 

File '/tmp/test* hided. 

(rootSlocalhost adore]* Is /tmp 

ssh-XXAbS7W 

ssh-XXEZXD3 



(rootSlocalhost adore]* ps -ef |grep test 

[root@localhost adore]* exit 

Script done on Sun Jan. 11 10:35:40 2004 
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Script started on Sun Jan 11 10:52:37 2004 ^ 
[root@loca!host recovery] # ./recover ' % 

Terminate hidden processes? [Y] 
Recover system call table? [Y] N 
Delete hidden files? [N] N 

Results are located at /titp/ interrogator/ summary 
View results now? [Y] 

[ SUMMARY ] 

WARNING: process id 1302 hidden or just exited (test) 
Launch Path: /tmp/test 
TERMINATED 1 Hidden process listing 
(root@localhost recovery] # exit 
Script done on Sun Jan 11 10:54:26 2004 
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Script started on Sun Jan 11 10:35:21 2004 
[root@localhost recovery] # /tmp/test 
Running 1 

Running 2 *j 

Running 3 

Running 4 

Running 5 

Running 6 

Running 7 

Hangup 

Script done on Sun Jan 11 10:55:12 2004 

FIG. 36(d) 



Script started on Sun Jan 11 10:57:09 2004 
[root@localhost recovery] # Is /tmp. 
ssh-XXAbS7W 
ssh-XXEZXD3 

[root@localhost recovery]* sum /tmp/test 
03965 12 

[root@localhost recovery]* ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] N 
Delete hidden files? [N] Y 

Results are located at /tmp/ interrogator/ summary 
View results now? [Y] 

[ SUMMARY ] 

REMOVED /tmp/test 

(rootSlocalhost recovery]* Is /tmp 

ssh-XXAbS7W 

ssh-XXEZXD3 

[root@localhost recovery]* sum /tmp/test 
sum: /tmp/test: No such file or directory 

rootQlocalhost recovery]* exit 

Script done on Sun Jan 11 10:57:47 2004 
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Script started on Sun Jan 11 10:57:57 2004 
[root@localhost recovery]* ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] 
Delete hidden files? [N] N 

Results are located at /tmp/ interrogator/ summary 
View results now? [Y] 

( SUMMARY ] 

WARNING suspect module found: d09cb000 7968 bytes (adore) 
FOUND 1 .HIDDEN module loaded 



WARNING: Deviations 


found in 


the sys_call_table 




syscall [2] 


FAILED 


0xd09cb650 


fork 


syscall [4] 


FAILED 


0xd09cb7e8 


write 


syscall [5] 


FAILED 


0xd09ccl84 


open 


syscall [6] 


FAILED 


0xd09cb898 


close 


syscall [18] 


FAILED 


0xd09cbbe4 


stat 


syscall [37] 


FAILED 


0xd09cb710 


kill 


syscall [39] 


FAILED 


0xd09cb9a0 


mkdir 


syscall [84] 


FAILED 


0xd09cbcd0 


Istat 


syscall [106] 


FAILED 


0xd09cbdbc 


stat 


syscall [107] 


FAILED 


0xd09cbe94 


Istat 


syscall [120] 


FAILED 


0xd09cb6b0 


clone 


syscall [141] 


FAILED 


0xd09cb368 


getdents 


syscall [195] 


FAILED 


0xd09cbf80 


stat64 


syscall [196] 


FAILED 


0xd09cc080 


lstat64 


syscall [220] 


FAILED 


0xd09cb4dc 


getdents 6 4 



RECOVERED 15 Modified syscall table functions 

[root@localhost recovery]* ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] 
Delete hidden files? [N] N 

Results are located at /tmp/ interrogator/ summary 
View results now? [Y] 

[ SUMMARY ] 

NO system call table modifications were found. 
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Script started on Sun Jan 11 11:31:47 2004 

(rootGlocalhost adore] # ps -ef |grep test 

root 1284 1258 0 11:31 pts/1 00:00:00 /tmp/test 



(rooteiocalhost adore] S Is /tmp 

ssh-XXAbS7W 

ssh-XXEZXD3 

test 



(root@iocalhost adore] # ./startadore 

Warning: loading cleaner. o will taint the kernel: no license 

See http://www. tux. org/ lkml/#export- tainted for information about tainted modules 
Module cleaner loaded, with warnings 



[root@localhost adore] # ./ava i 1284 
Checking for adore 0.12 or higher ... 
Adore 0.42 installed. Good luck. 
Made ?ID 1284 invisible. 



[root@localhost adore] # ./ava h /tmp/test 
Checking for adore 0.12 or higher ... 
Adore 0.42 installed. Good luck. 
File '/tmp/test' hided. 

[root81ocalhost adore] # ps -ef |grep test 
(root@localhost adore] # Is /tmp 
ssh-XXAbS7W 
ssh-XXEZXD3 

[rootGlocalhost adore] # cd .. /interrogator /recovery 
[root@localhost recovery]* ./recover 
Terminate hidden processes? [Y] N 
Recover system call table? [Y] Y 
Delete hidden files? [N] N 

Results are located at /tmp/ interrogator/ summary 
View results now? tY] 

[ SUMMARY ] 

WARNING suspect module found: d09cb000 7968 bytes (adore) 
FOUND 1 HIDDEN module loaded 



2 && 



1/ 



3 



WARNING: Deviations found in the sys_call_table 
syscall[2] 
syscall [4] 
syscall (5] 
syscall [6] 
syscall [18] 
syscall (37] 
syscall [39] 
syscall [84] 
syscall [106] 
syscall [107] 
syscall [120] 
syscall [141] 
syscall (195 ] 
syscall [196] 
syscall [220] 
RECOVERED 15 Modified syscall table functions 

(rootGlocalhost recovery] # ps -ef |grep test 

root 1284 1258 0 11:31 pts/1 00:00:00 /tmp/test 

root 1345 1288 0 11:33 pts/2 00:00:00 grep test 



FAILED 


0xd09cb650 


fork 


FAILED 


0xd09cb7e8 


write 


FAILED 


0xd09ccl84 


open 


FAILED 


0xd09cb898 


close 


FAILED 


0xd09cbbe4 


stat 


FAILED 


0xd09cb710 


kill 


FAILED 


0xd09cb9a0 


mkdir 


FAILED 


0xd09cbcd0 


lstat 


FAILED 


0xd09cbdbc 


stat 


FAILED 


0xd09cbe94 


lstat 


FAILED 


0xd09cb6b0 


clone 


FAILED 


0xd09cb368 


get dents 


FAILED 


0xd09cbf80 


stat64 


FAILED 


0xd09cc080 


lstat64 


FAILED 


0xd09cb4dc 


getdents64 



[root@localhost recovery] # Is /tmp 

ssh-XXAbS7w 

SSh-XXEZXD3 

test 



(root@localhost recovery]* exit 

Script done on Sun Jan 11 11:33:21 2004 
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